The critical vulnerability (CVE-2023-46747) in F5’s BIG-IP product is being actively exploited. The first instances of exploitation were observed less than five days after the vulnerability was publicly disclosed and a proof-of-concept (PoC) exploit code was made available. The vulnerability, which has a CVSS score of 9.8, affects the Traffic Management User Interface of BIG-IP and allows for unauthenticated, remote code execution.
This vulnerability, rooted in the configuration utility component of BIG-IP, allows an attacker to gain full administrative access to a vulnerable system. F5 released patches for BIG-IP versions 13.x through 17.x on October 26, urging customers to install them immediately.
In an update to the original advisory on October 30, the application delivery solutions provider warned that threat actors are exploiting this vulnerability in conjunction with another flaw in BIG-IP’s configuration utility, CVE-2023-46748 (CVSS score of 8.8). The NIST advisory for CVE-2023-46748 states, “An authenticated SQL injection vulnerability exists in the BIG-IP configuration utility which may allow an authenticated attacker with network access to the configuration utility through the BIG-IP management port and/or self IP addresses to execute arbitrary system commands.”
F5 has released indicators-of-compromise (IoCs) for both vulnerabilities to assist organizations in identifying potential breaches. The company states that the information is based on the evidence they have seen on compromised devices, which appear to be reliable indicators.
The Project Discovery team released a PoC exploit targeting CVE-2023-46747 over the weekend, and Praetorian Security, the organization that identified the bug, updated their initial blog with additional technical details. According to Praetorian, the exploitation process involves AJP (Apache JServ Protocol) request smuggling to create a new System user, log in with administrative credentials, and run arbitrary commands on an impacted system.
Praetorian researcher Michael Weber notes, “The process of abusing AJP request smuggling causes Tomcat and Apache to get out of sync. So as you send more of these requests, the de-sync gets worse. Eventually the server gets so out of sync that it becomes incapable of actually serving the correct site once you ask for it.” Weber adds that during testing, they often had to reboot the entire server because it was quicker than waiting for things to return to normal.
Praetorian has revealed that thousands of internet-accessible BIG-IP instances are potentially vulnerable to exploitation, with many of these belonging to organizations in the telecommunications sector.